We are pulling in mysql_query events from a freeradius server however one of the field values has an or "|" in it, so Splunk is ignoring the correct next value. Here is the log entry:
acctinputoctets = '0' << 32 | '442929', acctoutputoctets = '0' << 32 | '7920416'
Splunk is pulling only the '0' for the values. We need it to ignore the: '0' << 32 |
How do we update the field values so that the correct value is indexed?
Instead of using automatic field extraction, you will probably need to specify the fields. You can do this
props.conf
[yoursourcetype]
REPORT-fe=extract_fields
transforms.conf
[extract_fields]
FORMAT = $1::$2
REGEX = (\w+)\s*\=.*?\|\s*'(.*?)'
You may need to add
KV_MODE = none
to props.conf, but it would be better if you didn't need it.
Instead of using automatic field extraction, you will probably need to specify the fields. You can do this
props.conf
[yoursourcetype]
REPORT-fe=extract_fields
transforms.conf
[extract_fields]
FORMAT = $1::$2
REGEX = (\w+)\s*\=.*?\|\s*'(.*?)'
You may need to add
KV_MODE = none
to props.conf, but it would be better if you didn't need it.
How are you ingesting data? using DB Connect OR file monitoring?? Looks like you got some prefix with field value, which you can correct before indexing (for new events only) OR use Field extraction to ignore in the field value.
We are using the Splunk Universal Forwarder to pull in /var/log/mysql/mysql_query.log